<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.8" />
<link rel="Shortcut Icon" href="/images/favicon.ico" type="image/x-icon" />
<title></title>
<link rel="stylesheet" href="asciidoc-2.css" tppabs="http://old.peachfuzzer.com/v2/asciidoc.css" type="text/css" />
<link rel="stylesheet" href="website-2.css" tppabs="http://old.peachfuzzer.com/v2/website.css" type="text/css" />
</head>

<body>

<div id="layout-menu-box">
<div id="layout-menu">
  <div><a href="WhatIsPeach.html" tppabs="http://old.peachfuzzer.com/WhatIsPeach.html">What is Peach</a></div>
  <div><a href="Installation.html" tppabs="http://old.peachfuzzer.com/v3/Installation.html"><b>Installing</b></a></div>
  <div><a href="PeachQuickStart.html" tppabs="http://old.peachfuzzer.com/v3/PeachQuickStart.html"><b>Tutorials</b></a></div>
  <div><a href="Methodology.html" tppabs="http://old.peachfuzzer.com/Methodology.html">Methodology</a></div>
  <div><a href="Introduction.html" tppabs="http://old.peachfuzzer.com/Introduction.html">Introduction</a></div>
  <div><a href="Training.html" tppabs="http://old.peachfuzzer.com/Training.html">Training</a></div>
  <div><a href="javascript:if(confirm(%27http://www.dejavusecurity.com/peach.html  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://www.dejavusecurity.com/peach.html%27" tppabs="http://www.dejavusecurity.com/peach.html">Enterprise</a></div>
  <div><a href="FAQ.html" tppabs="http://old.peachfuzzer.com/v3/FAQ.html">FAQ</a></div>
  <div><a href="javascript:if(confirm(%27http://forums.peachfuzzer.com/forum.php  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://forums.peachfuzzer.com/forum.php%27" tppabs="http://forums.peachfuzzer.com/forum.php">Support Forums</a></div>

  <div><h5>Peach 3</h5></div>
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="PeachPit.html" tppabs="http://old.peachfuzzer.com/v3/PeachPit.html">Peach Pits</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="GeneralConfiguration.html" tppabs="http://old.peachfuzzer.com/v3/GeneralConfiguration.html">General Conf</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="DataModeling.html" tppabs="http://old.peachfuzzer.com/v3/DataModeling.html">Data Modeling</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="StateModel.html" tppabs="http://old.peachfuzzer.com/v3/StateModel.html">State Modeling</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="AgentsMonitors.html" tppabs="http://old.peachfuzzer.com/v3/AgentsMonitors.html">Agents</a></div>
  <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="AgentsMonitors.html" tppabs="http://old.peachfuzzer.com/v3/AgentsMonitors.html">Monitors</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="TestConfig.html" tppabs="http://old.peachfuzzer.com/v3/TestConfig.html">Test</a></div>
        <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="Publisher.html" tppabs="http://old.peachfuzzer.com/v3/Publisher.html">Publishers</a></div>
  <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="Logger.html" tppabs="http://old.peachfuzzer.com/v3/Logger.html">Loggers</a></div>
  <!-- <div>&nbsp;<img src="/images/1.gif" /><a href="/v3/DebuggingPitFiles.html">Debugging Pits</a></div> -->
  <!-- <div>&nbsp;<img src="/images/1.gif" /><a href="/v3/ValidatingPitFiles.html">Validating Pits</a></div> -->
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="RunningPeach.html" tppabs="http://old.peachfuzzer.com/v3/RunningPeach.html">Running</a></div>
  <!-- <div><img src="/images/1.gif" /><a href="/v3/ParallelPeach.html">Parallel</a></div> -->
  <!-- <div><img src="/images/1.gif" /><a href="/v3/ExtendingPeach.html">Extending</a></div> -->
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="minset.html" tppabs="http://old.peachfuzzer.com/v3/minset.html">Minset</a></div>

  <div><h5><a href="peach23.html" tppabs="http://old.peachfuzzer.com/v2/peach23.html">Peach 2.3</a></h5></div>

  <div><hr/></div>

  <div><a href="License.html" tppabs="http://old.peachfuzzer.com/License.html">License</a></div>
</div>
</div>
<div id="layout-content-box">
<div id="layout-banner">
  <div id="layout-title">
    <a href="index.htm" tppabs="http://old.peachfuzzer.com/"><img src="peach_fuzzer.png" tppabs="http://old.peachfuzzer.com/images/peach_fuzzer.png" height="100" /></a>
    <a href="javascript:if(confirm(%27http://www.dejavusecurity.com/peach.html  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://www.dejavusecurity.com/peach.html%27" tppabs="http://www.dejavusecurity.com/peach.html" class="layout-inner-banner-right">
                <img height="50" src="dejavusecurity.png" tppabs="http://old.peachfuzzer.com/images/dejavusecurity.png" /></a>
  </div>

  <div id="layout-description">
  <script>
  (function() {
    var cx = '007028538774543840348:g-0dlrdlmxs';
    var gcse = document.createElement('script'); gcse.type = 'text/javascript'; gcse.async = true;
    gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
        '//www.google.com/cse/cse.js?cx=' + cx;
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(gcse, s);
  })();
</script>
<gcse:search></gcse:search>
      </div>
</div>
<div id="layout-content">
<div id="content">
<div class="sect1">
<h2 id="_sql_stored_procedure_fuzzing">SQL Stored Procedure Fuzzing</h2>
<div class="sectionbody">
</div>
</div>
<div class="sect1">
<h2 id="_first_install_mysql_v5_1">First Install MySQL v5.1+</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>Configure with:</strong></p></div>
<div class="listingblock">
<div class="content"><!-- Generator: GNU source-highlight 3.1.7
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><span style="font-weight: bold"><span style="color: #0000FF">create</span></span> <span style="font-weight: bold"><span style="color: #0000FF">table</span></span> <span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="font-weight: bold"><span style="color: #0000FF">not</span></span> <span style="font-weight: bold"><span style="color: #0000FF">exists</span></span> testtable <span style="color: #990000">(</span>
   msg <span style="color: #009900">varchar</span><span style="color: #990000">(</span><span style="color: #993399">255</span><span style="color: #990000">)</span>
<span style="color: #990000">);</span>

delimiter <span style="font-style: italic"><span style="color: #9A1900">//</span></span>
<span style="font-weight: bold"><span style="color: #0000FF">CREATE</span></span> <span style="font-weight: bold"><span style="color: #0000FF">PROCEDURE</span></span> testproc<span style="color: #990000">(</span><span style="font-weight: bold"><span style="color: #0000FF">IN</span></span> parameter1 <span style="color: #009900">VARCHAR</span><span style="color: #990000">(</span><span style="color: #993399">255</span><span style="color: #990000">))</span>
BEGIN
   <span style="font-weight: bold"><span style="color: #0000FF">insert</span></span> <span style="font-weight: bold"><span style="color: #0000FF">into</span></span> testtable <span style="color: #990000">(</span>msg<span style="color: #990000">)</span> <span style="font-weight: bold"><span style="color: #0000FF">values</span></span> <span style="color: #990000">(</span>parameter1<span style="color: #990000">);</span>
END<span style="color: #990000">;</span>
<span style="font-style: italic"><span style="color: #9A1900">//</span></span></tt></pre></div></div>
</div>
</div>
<div class="sect1">
<h2 id="_create_an_odbc_dsn">Create an ODBC DSN</h2>
<div class="sectionbody">
<div class="paragraph"><p>Created an ODBC DSN called "TestMySql" that connects to your MySQL instance and correct database.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_update_pit">Update PIT</h2>
<div class="sectionbody">
<div class="paragraph"><p>Update this pit with correct DSN, user, and password.</p></div>
<div class="listingblock">
<div class="content"><!-- Generator: GNU source-highlight 3.1.7
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><span style="font-weight: bold"><span style="color: #000080">&lt;?xml</span></span> <span style="color: #009900">version</span><span style="color: #990000">=</span><span style="color: #FF0000">"1.0"</span> <span style="color: #009900">encoding</span><span style="color: #990000">=</span><span style="color: #FF0000">"utf-8"</span><span style="font-weight: bold"><span style="color: #000080">?&gt;</span></span>
<span style="font-weight: bold"><span style="color: #0000FF">&lt;Peach</span></span> <span style="color: #009900">xmlns</span><span style="color: #990000">=</span><span style="color: #FF0000">"http://phed.org/2008/Peach"</span>
<span style="color: #009900">xmlns:xsi</span><span style="color: #990000">=</span><span style="color: #FF0000">"http://www.w3.org/2001/XMLSchema-instance"</span>
       <span style="color: #009900">xsi:schemaLocation</span><span style="color: #990000">=</span><span style="color: #FF0000">"http://phed.org/2008/Peach /peach/peach.xsd"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>

       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Include</span></span> <span style="color: #009900">ns</span><span style="color: #990000">=</span><span style="color: #FF0000">"default"</span> <span style="color: #009900">src</span><span style="color: #990000">=</span><span style="color: #FF0000">"file:defaults.xml"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>
       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Include</span></span> <span style="color: #009900">ns</span><span style="color: #990000">=</span><span style="color: #FF0000">"pt"</span> <span style="color: #009900">src</span><span style="color: #990000">=</span><span style="color: #FF0000">"file:PeachTypes.xml"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>

       <span style="font-weight: bold"><span style="color: #0000FF">&lt;DataModel</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheDataModel"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
               <span style="font-weight: bold"><span style="color: #0000FF">&lt;String</span></span> <span style="color: #009900">value</span><span style="color: #990000">=</span><span style="color: #FF0000">"Peachy"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>
       <span style="font-weight: bold"><span style="color: #0000FF">&lt;/DataModel&gt;</span></span>

       <span style="font-weight: bold"><span style="color: #0000FF">&lt;StateModel</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheState"</span> <span style="color: #009900">initialState</span><span style="color: #990000">=</span><span style="color: #FF0000">"Initial"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>

               <span style="font-weight: bold"><span style="color: #0000FF">&lt;State</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"Initial"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
                       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Action</span></span> <span style="color: #009900">type</span><span style="color: #990000">=</span><span style="color: #FF0000">"call"</span> <span style="color: #009900">method</span><span style="color: #990000">=</span><span style="color: #FF0000">"call testproc(?)"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
                               <span style="font-weight: bold"><span style="color: #0000FF">&lt;Param</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"p1"</span> <span style="color: #009900">type</span><span style="color: #990000">=</span><span style="color: #FF0000">"in"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
                                       <span style="font-weight: bold"><span style="color: #0000FF">&lt;DataModel</span></span> <span style="color: #009900">ref</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheDataModel"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>
                               <span style="font-weight: bold"><span style="color: #0000FF">&lt;/Param&gt;</span></span>
                       <span style="font-weight: bold"><span style="color: #0000FF">&lt;/Action&gt;</span></span>
               <span style="font-weight: bold"><span style="color: #0000FF">&lt;/State&gt;</span></span>
       <span style="font-weight: bold"><span style="color: #0000FF">&lt;/StateModel&gt;</span></span>

       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Test</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheTest"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
               <span style="font-weight: bold"><span style="color: #0000FF">&lt;StateModel</span></span> <span style="color: #009900">ref</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheState"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>

               <span style="font-weight: bold"><span style="color: #0000FF">&lt;Publisher</span></span> <span style="color: #009900">class</span><span style="color: #990000">=</span><span style="color: #FF0000">"sql.Odbc"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
                       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Param</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"dsn"</span> <span style="color: #009900">value</span><span style="color: #990000">=</span><span style="color: #FF0000">"TestMySql/root/password"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>
               <span style="font-weight: bold"><span style="color: #0000FF">&lt;/Publisher&gt;</span></span>
       <span style="font-weight: bold"><span style="color: #0000FF">&lt;/Test&gt;</span></span>

       <span style="font-weight: bold"><span style="color: #0000FF">&lt;Run</span></span> <span style="color: #009900">name</span><span style="color: #990000">=</span><span style="color: #FF0000">"DefaultRun"</span><span style="font-weight: bold"><span style="color: #0000FF">&gt;</span></span>
               <span style="font-weight: bold"><span style="color: #0000FF">&lt;Test</span></span> <span style="color: #009900">ref</span><span style="color: #990000">=</span><span style="color: #FF0000">"TheTest"</span><span style="font-weight: bold"><span style="color: #0000FF">/&gt;</span></span>
       <span style="font-weight: bold"><span style="color: #0000FF">&lt;/Run&gt;</span></span>
<span style="font-weight: bold"><span style="color: #0000FF">&lt;/Peach&gt;</span></span></tt></pre></div></div>
</div>
</div>
<div class="sect1">
<h2 id="_run">Run!</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre><code>C:\peach&gt;peach -1 test.xml

] Peach 2.3 MS Runtime
] Copyright (c) Michael Eddington

[*] Performing single iteration
Warning: Run 'DefaultRun' does not have logging configured!
[*] Starting run "DefaultRun"
[-] Test: "TheTest" (None)
[1:?:?] Running test with mutator N/A
-- Completed our iteration range, exiting
[-] Test "TheTest" completed
[*] Run "DefaultRun" completed
C:\peach&gt;</code></pre>
</div></div>
<div class="paragraph"><p>My MySQL table looked like this:</p></div>
<div class="listingblock">
<div class="content">
<pre><code>mysql&gt; select * from testtable;
+-------------+
| msg         |
+-------------+
| Peachy      |
+-------------+
2 rows in set (0.00 sec)</code></pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_next_steps">Next Steps</h2>
<div class="sectionbody">
<div class="paragraph"><p>From here you would want to configure and agent to attach a debugger to your SQL server executable and monitor for crashes.  Good targets are native stored procedures exposed by Microsoft SQL Server, IBM DB2, etc.  Fuzzing pure SQL stored procedures, such as in this example, is likely not a good use of your time ;)</p></div>
</div>
</div>
</div>
<div id="footnotes"></div>
<div id="footer">
<div id="footer-text">

<table width="100%">
<td><td>
<a href="javascript:if(confirm(%27http://dejavusecurity.com/  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://dejavusecurity.com/%27" tppabs="http://dejavusecurity.com/"><img src="dejavusecurity.png" tppabs="http://old.peachfuzzer.com/images/dejavusecurity.png" height="50"/></a>
</td><td>&nbsp;&nbsp;&nbsp;</td><td>

Copyright (c) <a href="javascript:if(confirm(%27http://dejavusecurity.com/  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://dejavusecurity.com/%27" tppabs="http://dejavusecurity.com/">Deja vu Security</a> <br/>
Last updated 2014-02-23 21:22:09 PST
</td>
</table>

<script type="text/javascript">

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-1094513-10']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www/') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();

</script>
</div>
</div>
</div>
</div>
</body>
</html>
